General Data Protection Regulation (GDPR) FAQs for small retailers

If I use CCTV in my shop, do I need to comply with the GDPR?

The short answer is yes – CCTV cameras capture images that allow you to identify individuals, which means that these images fall within the GDPR’s definition of personal data. You need to make sure you have appropriate signage in place to inform people that CCTV is in operation and why you are using it. This isn’t a new requirement and you should already be providing this information under the Data Protection Act 1998. However, the GDPR is more prescriptive and you should make sure that people are provided with all the privacy information required under the GDPR, possibly on your website or elsewhere on the premises. For more advice on the information you need to provide in privacy notices, including CCTV signage, take a look at our guidance on privacy notices, transparency and control.

When using CCTV systems, you also need to make sure they are only used for limited and specific purposes, the images recorded are relevant to those purposes, and recordings are not retained for longer than necessary. You also need to decide whether CCTV is a reasonable response to the issue you’re seeking to address. More information is available in our CCTV code of practice.

Will GDPR prevent me from sharing information with other local retailers about people I’ve banned from my shop?

The GDPR is not designed to prevent you sharing personal data for legitimate reasons. However, if you’re deciding whether to share information about banned individuals with other local retailers, either directly or through a business crime reduction partnership, you need to make sure you’re able to share the information in a way that complies with the requirements of GDPR.

For example, you’ll need to address the following questions:

Is the data sharing fair, legal and transparent?

Is the information relevant to the other retailers I’m looking to share it with?

Is the information accurate?

Is the information shared in a secure format and manner?

How would you and the other retailers respond to requests from individuals wishing to exercise their rights in relation to the information?

Have you determined whether the information relates to the commission or alleged commission of an offence, thus bringing in additional requirements under GDPR?

It’s important to remember that even if you’re sharing images of an individual where you don’t know their name, you are still processing personal data as it’s likely that you or the other retailers involved will be able to identify the individual from the images alone or in combination with other information. The GDPR will apply in these scenarios.

Can I require people to sign up to marketing if they want to join my loyalty scheme?

Firstly, you need to consider which methods you use to send direct marketing and whether you need the individual’s consent to market them. If you’re marketing by electronic means, including email, SMS, fax or phone, you’ll need to comply with the direct marketing requirements of the Privacy and Electronic Communication Regulations (PECR) alongside the GDPR. For example, if you’re sending direct marketing by email, in most cases you’ll need the individual’s consent to do so. More information is available in our B2B marketing factsheet and our detailed direct marketing guidance.

You should avoid making consent a precondition of a service. So, if your loyalty scheme allows people to collect points when they shop, which they can then redeem against future purchases, you can’t require them to consent to marketing emails in order for them to collect these points. However, if a scheme is operated purely for the purposes of sending people marketing offers, you need to be upfront and clear about this and will need to ensure that the consent people provide when signing up meets the GDPR standard. More information is available in our draft GDPR consent guidance.

If I collected customer details before the GDPR came into effect, do I still need to provide them with an updated privacy policy?

The GDPR requires you to provide people with privacy information at the time you obtain personal data from them. If you collected customer data prior to 25 May 2018, you should ensure that they were provided with a privacy notice meeting the requirements of the Data Protection Act at the time. If they weren’t given this, you’ll need to provide them with the privacy information required under the GDPR. You will also have to do this if the way you handle their information or why you handle it changes after May 2018. Our guidance on privacy notices, transparency and controlprovides more details of the information you need to give people.

Even if you’ve provided people with adequate privacy information under the Data Protection Act and the purposes and manner of your data handling haven’t changed, it’s still good practice to make GDPR privacy information available on your website or during any regular communication you have with them.